EP3823425A1 - Operator action authentication in an industrial control system - Google Patents
Operator action authentication in an industrial control system Download PDFInfo
- Publication number
- EP3823425A1 EP3823425A1 EP20201408.0A EP20201408A EP3823425A1 EP 3823425 A1 EP3823425 A1 EP 3823425A1 EP 20201408 A EP20201408 A EP 20201408A EP 3823425 A1 EP3823425 A1 EP 3823425A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- action
- request
- communications
- datagram
- control module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000009471 action Effects 0.000 title claims abstract description 240
- 238000004891 communication Methods 0.000 claims abstract description 118
- 238000000034 method Methods 0.000 claims description 39
- 238000004519 manufacturing process Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000015654 memory Effects 0.000 claims description 2
- 230000008878 coupling Effects 0.000 claims 1
- 238000010168 coupling process Methods 0.000 claims 1
- 238000005859 coupling reaction Methods 0.000 claims 1
- 230000008569 process Effects 0.000 description 21
- 230000006870 function Effects 0.000 description 7
- 230000001413 cellular effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000001276 controlling effect Effects 0.000 description 3
- 238000007670 refining Methods 0.000 description 3
- 239000000126 substance Substances 0.000 description 3
- 238000004378 air conditioning Methods 0.000 description 2
- 235000013361 beverage Nutrition 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000003814 drug Substances 0.000 description 2
- 238000005265 energy consumption Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010438 heat treatment Methods 0.000 description 2
- 238000005286 illumination Methods 0.000 description 2
- 229910052751 metal Inorganic materials 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 150000002739 metals Chemical class 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 238000010248 power generation Methods 0.000 description 2
- 230000001737 promoting effect Effects 0.000 description 2
- 230000005855 radiation Effects 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000009423 ventilation Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 239000002351 wastewater Substances 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 206010042602 Supraventricular extrasystoles Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 230000008713 feedback mechanism Effects 0.000 description 1
- 239000012530 fluid Substances 0.000 description 1
- 239000007789 gas Substances 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000003921 oil Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the present application is a continuation-in-part of International Application No. PCT/US2013/053721, filed August 6, 2013 , and titled, "SECURE INDUSTRIAL CONTROL SYSTEM.”
- the present application is also a continuation-in-part under 35 U.S.C. ⁇ 120 of U.S. Patent Application Serial No. 14/469,931, filed August 27, 2014 , and titled “SECURE INDUSTRIAL CONTROL SYSTEM.”
- the present application is also a continuation-in-part under 35 U.S.C. ⁇ 120 of U.S. Patent Application Serial No. 14/446,412, filed July 30, 2014 , and titled "INDUSTRIAL CONTROL SYSTEM CABLE,” which claims priority under 35 U.S.C.
- Industrial control systems such as standard industrial control systems (ICS) or programmable automation controllers (PAC), include various types of control equipment used in industrial production, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), programmable logic controllers (PLC), and industrial safety systems certified to safety standards such as IEC1508. These systems are used in industries including electrical, water and wastewater, oil and gas production and refining, chemical, food, pharmaceuticals and robotics. Using information collected from various types of sensors to measure process variables, automated and/or operator-driven supervisory commands from the industrial control system can be transmitted to various actuator devices such as control valves, hydraulic actuators, magnetic actuators, electrical switches, motors, solenoids, and the like. These actuator devices collect data from sensors and sensor systems, open and close valves and breakers, regulate valves and motors, monitor the industrial process for alarm conditions, and so forth.
- SCADA supervisory control and data acquisition
- DCS distributed control systems
- PLC programmable logic controllers
- IEC1508 industrial safety systems certified to safety standards
- SCADA systems can use open-loop control with process sites that may be widely separated geographically. These systems use Remote Terminal Units (RTUs) to send supervisory data to one or more control centers.
- RTUs Remote Terminal Units
- SCADA applications that deploy RTU's include fluid pipelines, electrical distribution and large communication systems.
- DCS systems are generally used for real-time data collection and continuous control with high-bandwidth, low-latency data networks and are used in large campus industrial process plants, such as oil and gas, refining, chemical, pharmaceutical, food and beverage, water and wastewater, pulp and paper, utility power, and mining and metals.
- PLCs more typically provide Boolean and sequential logic operations, and timers, as well as continuous control and are often used in stand-alone machinery and robotics.
- ICE and PAC systems can be used in facility processes for buildings, airports, ships, space stations, and the like (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption).
- HVAC Heating, Ventilation, and Air Conditioning
- PACs can include aspects of SCADA, DCS, and PLCs.
- a secure industrial control system includes one or more communications/control modules that control or drive one or more industrial elements (e.g., input/output (I/O) modules, power modules, field devices, switches, workstations, and/or physical interconnect devices). Operator actions and/or other commands or requests can be secured via an authentication path from an action originator to a communications/control module.
- the industrial control system requires an action authenticator to sign an action request generated by the action originator.
- the destination communications/control module is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In this manner, malicious or otherwise unauthorized action requests are not processed, and thus the system is protected from malware, spyware, unauthorized changes of control parameters, unauthorized access to data, and so forth.
- the communications/control module includes at least one processor and a non-transitory medium bearing a set of instructions executable by the processor.
- the set of instructions includes at least instructions to: receive an action request initiated by an action originator and signed by an action authenticator; verify the authenticity of the signed action request; and perform a requested action when the authenticity of the signed action request is verified.
- a method of authenticating a requested action includes: signing an action request with an action authenticator; sending the signed action request to a communications/control module; verifying the authenticity of the signed action request; and performing a requested action with the communications/control module when the authenticity of the signed action request is verified.
- control elements/subsystems e.g., input/output (I/O) modules, power modules, process sensors and/or actuators, switches, workstations, and/or physical interconnect devices
- control elements/subsystems e.g., one or more communications/control modules
- the control elements/subsystems operate according to programming and action requests (e.g., executable software modules, control commands, data requests, and the like) received from an action originator such as, but not limited to: an operator interface (e.g., SCADA or human machine interface (HMI)), an engineering interface, a local application, and/or a remote application.
- an operator interface e.g., SCADA or human machine interface (HMI)
- HMI human machine interface
- the industrial control system can be vulnerable to unauthorized access to data and/or controls.
- the industrial control system can be vulnerable to malware, spyware, or other corrupt/malicious software that can be transmitted in the form of an update, application image, control command, or the like.
- Simply authenticating the operator may not be enough to secure the system from malicious actors or even unintentionally unauthorized requests/commands that can be originated via a valid login or a seemingly valid (e.g., hacked) application or operator/engineering interface.
- the present disclosure is directed to industrial control system communications/control modules, subsystems and techniques for preventing unauthorized action requests from being processed in an industrial control system.
- a predefined selection of operations or all operator actions and/or other control actions or requests are secured via an authentication path from an action originator to a communications/control module.
- the industrial control system requires an action authenticator to sign an action request generated by the action originator. Unsigned action requests may automatically result in an error and will not be processed or executed by the communications/control module.
- the communications/control module is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In this manner, malicious or otherwise unauthorized action requests are not processed, and thus the system is protected from malware, spyware, unauthorized changes of control parameters, unauthorized access to data, and so forth.
- FIG. 1 illustrates an industrial control system 100 in accordance with an example embodiment of the present disclosure.
- the industrial control system 100 may comprise an industrial control system (ICS), a programmable automation controller (PAC), a supervisory control and data acquisition (SCADA) system, a distributed control system (DCS), programmable logic controller (PLC), and industrial safety system certified to safety standards such as IEC1508, or the like.
- the industrial control system 100 uses a communications control architecture to implement a distributed control system that includes one or more industrial elements (e.g., input/output modules, power modules, field devices, switches, workstations, and/or physical interconnect devices) that are controlled or driven by one or more control elements or subsystems 102 distributed throughout the system.
- industrial elements e.g., input/output modules, power modules, field devices, switches, workstations, and/or physical interconnect devices
- one or more I/O modules 104 may be connected to one or more communications/control modules 106 making up the control element/subsystem 102.
- the industrial control system 100 is configured to transmit data to and from the I/O modules 104.
- the I/O modules 104 can comprise input modules, output modules, and/or input and output modules.
- input modules can be used to receive information from input devices 130 (e.g., sensors) in the process, while output modules can be used to transmit instructions to output devices (e.g., actuators).
- an I/O module 104 can be connected to a process sensor for measuring pressure in piping for a gas plant, a refinery, and so forth and/or connected to a process actuator for controlling a valve, binary or multiple state switch, transmitter, or the like.
- Field devices 130 are communicatively coupled with the IO modules 104 either directly or via network connections. These devices 130 can include control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like.
- the I/O modules 104 can be used the industrial control system 100 collect data in applications including, but not necessarily limited to critical infrastructure and/or industrial processes, such as product manufacturing and fabrication, utility power generation, oil, gas, and chemical refining; pharmaceuticals, food and beverage, pulp and paper, metals and mining and facility and large campus industrial processes for buildings, airports, ships, and space stations (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption).
- critical infrastructure and/or industrial processes such as product manufacturing and fabrication, utility power generation, oil, gas, and chemical refining; pharmaceuticals, food and beverage, pulp and paper, metals and mining and facility and large campus industrial processes for buildings, airports, ships, and space stations (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption).
- HVAC Heating, Ventilation, and Air Conditioning
- an I/O module 104 can be configured to convert analog data received from the sensor to digital data (e.g., using Analog-to-Digital Converter (ADC) circuitry, and so forth).
- An I/O module 104 can also be connected to one or more process actuators such as a motor or a regulating valve or an electrical relay and other forms of actuators and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, or position of the regulating valve or state of the electrical relay and so forth.
- the I/O module 104 can be configured to convert digital data to analog data for transmission to the actuator (e.g., using Digital-to-Analog (DAC) circuitry, and so forth).
- DAC Digital-to-Analog
- one or more of the I/O modules 104 can comprise a communications module configured for communicating via a communications sub-bus, such as an Ethernet bus, an H1 field bus, a Process Field Bus (PROFIBUS), a Highway Addressable Remote Transducer (HART) bus, a Modbus, and so forth.
- a communications sub-bus such as an Ethernet bus, an H1 field bus, a Process Field Bus (PROFIBUS), a Highway Addressable Remote Transducer (HART) bus, a Modbus, and so forth.
- two or more I/O modules 104 can be used to provide fault tolerant and redundant connections for various field devices 130 such as control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like.
- Each I/O module 104 can be provided with a unique identifier (ID) for distinguishing one I/O module 104 from another I/O module 104.
- ID unique identifier
- an I/O module 104 is identified by its ID when it is connected to the industrial control system 100.
- Multiple I/O modules 104 can be used with the industrial control 100 to provide redundancy.
- two or more I/O modules 104 can be connected to a process sensor and/or actuator.
- Each I/O module 104 can include one or more ports that furnish a physical connection to hardware and circuitry included with the I/O module 104, such as a printed circuit board (PCB), and so forth.
- PCB printed circuit board
- each I/O module 104 includes a connection for a cable that connects the cable to a printed wiring board (PWB) in the I/O module 104.
- PWB printed wiring board
- One or more of the I/O modules 104 can include an interface for connecting to other networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a Global System for Mobile communications (GSM) network; a wireless computer communications network, such as a Wi-Fi network (e.g., a Wireless LAN (WLAN) operated using IEEE 802.11 network standards); a Personal Area Network (PAN) (e.g., a Wireless PAN (WPAN) operated using IEEE 802.15 network standards); a Wide Area Network (WAN); an intranet; an extranet; an internet; the Internet; and so on. Further, one or more of the I/O modules 104 can include a connection for connecting an I/O module 104 to a computer bus, and so forth.
- a wide-area cellular telephone network such as a 3G cellular network, a 4G cellular network, or a Global System for Mobile communications (GSM) network
- GSM Global System
- the communications/control modules 106 can be used to monitor and control the I/O modules 104, and to connect two or more I/O modules 104 together.
- a communications/control module 106 can update a routing table when an I/O module 104 is connected to the industrial control system 100 based upon a unique ID for the I/O module 104.
- each communications/control module 106 can implement mirroring of informational databases regarding the I/O modules 104 and update them as data is received from and/or transmitted to the I/O modules 104.
- two or more communications/control module 106 are used to provide redundancy.
- the communications/control module 106 can be configured to perform an authentication sequence or handshake to authenticate one another at predefined events or times including such as startup, reset, installation of a new control module 106, replacement of a communications/control module 106, periodically, scheduled times, and the like.
- each communications/control module 106 or any other industrial element/controller 206 can be at least partially operated according to requests/commands from an action originator 202.
- the action originator 202 includes an operator interface 208 (e.g., SCADA or HMI), an engineering interface 210 including an editor 212 and a compiler 214, a local application 220, a remote application 216 (e.g., communicating through a network 218 via a local application 220), or the like.
- an operator interface 208 e.g., SCADA or HMI
- an engineering interface 210 including an editor 212 and a compiler 214
- a local application 220 e.g., a remote application 216 (e.g., communicating through a network 218 via a local application 220), or the like.
- the industrial element/controller 206 processes an action request (e.g., request for data, control command, firmware/software update, set point control, application image download, or the like) only when the action request has been signed and/or encrypted by an action authenticator 204. This prevents unauthorized action requests from valid user profiles and further secures the system from unauthorized action requests coming from invalid (e.g., hacked) profiles.
- an action request e.g., request for data, control command, firmware/software update, set point control, application image download, or the like
- the action authenticator 204 can either be on-site with the action originator 202 (e.g., directly connected device lifecycle management system ("DLM") 222 or secured workstation 226) or remotely located (e.g., DLM 222 connected via the network 218).
- the action authenticator 204 includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by the action originator 202 with the private key.
- the private key is stored in a memory that cannot be accessed via standard operator login.
- the secured workstation 226 can require a physical key, portable encryption device (e.g., smart card, RFID tag, or the like), and/or biometric input for access.
- the action authenticator 204 includes a portable encryption device such as a smart card 224 (which can include a secured microprocessor).
- a portable encryption device such as a smart card 224 (which can include a secured microprocessor).
- the entire device including the privately stored key and processor in communication therewith
- the action request from the action originator 202 can be securely signed and/or encrypted within the architecture of the portable encryption device instead of a potentially less secure workstation or cloud-based architecture. This secures the industrial control system 100 from unauthorized actions. For instance, an unauthorized person would have to physically take possession of the smart card 224 before being able to authenticate any action requests sent via the action originator 202.
- the action authenticator 204 can include a secured workstation 226 that is only accessible to sign and/or encrypt action requests via smart card access or the like.
- the secured workstation 226 can be accessible via a biometric or multifactor cryptography device 228 (e.g., fingerprint scanner, iris scanner, and/or facial recognition device).
- a multifactor cryptography device 228 requires a valid biometric input before enabling the smart card 224 or other portable encryption device to sign the action request.
- the communications/control module 106 or any other industrial element/controller 206 being driven by the action originator 202 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.
- the industrial element/controller 206 includes a storage medium 230 (e.g., SD/micro-SD card, HDD, SSD, or any other non-transitory storage device) configured to store the action request (e.g., application image, control command, and/or any other data sent by the action originator).
- the communications/control module 106 or any other industrial element/controller 206 further includes a processor 232 that performs/executes the action request (i.e., performs the requested action) after the signature is verified.
- the action request is encrypted by the action originator 202 and/or the action authenticator 232 and must also be decrypted by the processor 232 before the requested action can be performed.
- the communications/control module 106 or any other industrial element/controller 206 includes a virtual key switch 234 (e.g., a software module running on the processor 232) that enables the processor 232 to perform the requested action only after the action request signature is verified and/or after the action request is decrypted.
- each and every action or each one of a selection of critical actions must clear the authentication path before being run on the communications/control module 106 or any other industrial element/controller 206.
- FIGS. 4 and 5 illustrate a method 300 of authenticating an action request in accordance with exemplary embodiments of this disclosure.
- the method 300 can be manifested by the industrial control system 100 and/or authentication path 200 of the industrial control system 100.
- the method 300 includes: (302) originating an action request (e.g., via an operator/engineering interface 208/210 or a remote/local application interface 216/220); (304) signing the action request with the action authenticator 204; (312) optionally encrypting the action request with the action authenticator 204; (306) sending or downloading the signed action request to a communications/control module 106 or any other industrial element/controller 206; (308) verifying the authenticity of the signed action request; (314) optionally decrypting the action request with the communications/control module 106 or any other industrial element/controller 206; and (310) performing a requested action with the communications/control module 106 or any other industrial element/controller 206 when the authenticity of the signed action request is verified.
- an action request e.g
- the communications/control module 106 or any other industrial element/controller 206 can be further configured to perform an authentication sequence with the action authenticator 204 (e.g., with a smart card 224 or the like) before the requested action is run by the communications/control module 106 or any other industrial element/controller 206.
- the so-called "handshake" can be performed prior to step 310 or even prior to step 306.
- the signature and verification steps 304 and 308 can be completely replaced with a more intricate authentication sequence.
- the authentication sequence can be performed as an additional security measure to augment the simpler signature verification and/or decryption measures.
- the authentication sequence implemented by the communications/control module 106 or any other industrial element/controller 206 can include: sending a request datagram to the action authenticator 204, the request datagram including a first nonce, a first device authentication key certificate (e.g., a first authentication certificate that contains a device authentication key), and a first identity attribute certificate; receiving a response datagram from the action authenticator 204, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate (e.g., a second authentication certificate that contains a device authentication key), and a second identity attribute certificate; validating the response datagram by verifying the first signature associated with the first and second nonces, the second device authentication key certificate, and the second identity attribute certificate; and sending an authentication datagram to the action authenticator 204 when the response datagram is valid, the authentication datagram including a second signature associated with the first and second nonces.
- a first device authentication key certificate e.g., a first authentication certificate that contains a
- the action authenticator 204 can initiate the handshake, in which case the authentication sequence implemented by the communications/control module 106 or any other industrial element/controller 206 can include: receiving a request datagram from the action authenticator 204, the request datagram including a first nonce, a first device authentication key certificate, and a first identity attribute certificate; validating the request datagram by verifying the first device authentication key certificate and the first identity attribute certificate; sending a response datagram to the action authenticator 204 when the request datagram is valid, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate, and a second identity attribute certificate; receiving an authentication datagram from the action authenticator 204, the authentication datagram including a second signature associated with the first and second nonces; and validating the authentication datagram by verifying the second signature associated with the first and second nonces.
- Each of the action originator 202, the action authenticator 204, and communications/control module 106 or any other industrial element/controller 206 can include circuitry and/or logic enabled to perform the functions or operations (e.g., blocks of method 300 and the authentication sequence) described herein.
- each of the action originator 202, the action authenticator 204, and the communications/control module 106 or any other industrial element/controller 206 can include one or more processors that execute program instruction stored permanently, semi-permanently, or temporarily by a non-transitory machine readable medium such as, but not limited to: a hard disk drive (HDD), solid-state disk (SDD), optical disk, magnetic storage device, flash drive, or SD/micro-SD card.
- HDD hard disk drive
- SDD solid-state disk
- magnetic storage device magnetic storage device
- flash drive or SD/micro-SD card
- data transmitted by the industrial control system 100 can be packetized, i.e., discrete portions of the data can be converted into data packets comprising the data portions along with network control information, and so forth.
- the industrial control system 100 can use one or more protocols for data transmission, including a bit-oriented synchronous data link layer protocol such as High-Level Data Link Control (HDLC).
- HDLC High-Level Data Link Control
- the industrial control system 100 implements HDLC according to an International Organization for Standardization (ISO) 13239 standard, or the like.
- ISO International Organization for Standardization
- two or more communications/control modules 106 can be used to implement redundant HDLC.
- HDLC is provided by way of example only and is not meant to be restrictive of the present disclosure.
- the industrial control system 100 can use other various communications protocols in accordance with the present disclosure.
- One or more of the communications/control module 106 can be configured for exchanging information with components used for monitoring and/or controlling the field devices 130 (e.g., sensor and/or actuator instrumentation) connected to the industrial control system 100 via the I/O modules 104, such as one or more control loop feedback mechanisms/controllers.
- a controller can be configured as a microcontroller/Programmable Logic Controller (PLC), a Proportional-Integral-Derivative (PID) controller, and so forth.
- PLC microcontroller/Programmable Logic Controller
- PID Proportional-Integral-Derivative
- the I/O modules 104 and the communications/control modules 106 include network interfaces, e.g., for connecting one or more I/O modules 104 to one or more controllers via a network.
- a network interface can be configured as a Gigabit Ethernet interface for connecting the I/O modules 104 to a Local Area Network (LAN).
- LAN Local Area Network
- two or more communications/control modules 106 can be used to implement redundant Gigabit Ethernet.
- Gigabit Ethernet is provided by way of example only and is not meant to be restrictive of the present disclosure.
- a network interface can be configured for connecting the communications/control modules 106 to other various networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a GSM network; a wireless computer communications network, such as a Wi-Fi network (e.g., a WLAN operated using IEEE 802.11 network standards); a PAN (e.g., a WPAN operated using IEEE 802.15 network standards); a WAN; an intranet; an extranet; an internet; the Internet; and so on.
- a network interface can be implemented using a computer bus.
- a network interface can include a Peripheral Component Interconnect (PCI) card interface, such as a Mini PCI interface, and so forth.
- the network can be configured to include a single network or multiple networks across different access points.
- PCI Peripheral Component Interconnect
- the industrial control system 100 can receive electrical power from multiple sources. For example, AC power is supplied from a power grid 108 (e.g., using high voltage power from AC mains). AC power can also be supplied using local power generation (e.g., an on-site turbine or diesel local power generator 110). A power supply 112 is used to distribute electrical power from the power grid 108 to automation equipment of the industrial control system 100, such as controllers, I/O modules, and so forth. A power supply 112 can also be used to distribute electrical power from the local power generator 110 to the industrial control system equipment. The industrial control system 100 can also include additional (backup) power supplies configured to store and return DC power using multiple battery modules. For example, a power supply 112 functions as a UPS. In embodiments of the disclosure, multiple power supplies 112 can be distributed (e.g., physically decentralized) within the industrial control system 100.
- UPS additional (backup) power supplies 112 can be distributed (e.g., physically decentralized) within the industrial control system 100.
- control elements/subsystems and/or industrial elements are connected together by one or more backplanes 114.
- communications/control modules 106 can be connected to I/O modules 104 by a communications backplane 116.
- power supplies 112 can be connected to I/O modules 104 and/or to communications/control modules 106 by a power backplane 118.
- physical interconnect devices e.g., switches, connectors, or cables such as, but not limited to, those described in U.S. Non-provisional Application Serial No.
- 14/446,412 are used to connect to the I/O modules 104, the communications/control modules 106, the power supplies 112, and possibly other industrial control system equipment.
- a cable can be used to connect a communications/control module 106 to a network 120
- another cable can be used to connect a power supply 112 to a power grid 108
- another cable can be used to connect a power supply 112 to a local power generator 110, and so forth.
- the industrial control system 100 implements a secure control system.
- the industrial control system 100 includes a security credential source (e.g., a factory 122) and a security credential implementer (e.g., a key management entity 124).
- the security credential source is configured to generate a unique security credential (e.g., a key, a certificate, etc., such as a unique identifier, and/or a security credential).
- the security credential implementer is configured to provision the control elements/subsystems and/or industrial elements (e.g., cables, devices 130, I/O modules 104, communications/control modules 106, power supplies 112, and so forth) with a unique security credential generated by the security credential source.
- Multiple (e.g., every) device 130, I/O module 104, communications/control module 106, power supply 112, physical interconnect devices, etc., of the industrial control system 100 can be provisioned with security credentials for providing security at multiple (e.g., all) levels of the industrial control system 100.
- the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth can be provisioned with the unique security credentials (e.g., keys, certificates, etc.) during manufacture (e.g., at birth), and can be managed from birth by a key management entity 124 of the industrial control system 100 for promoting security of the industrial control system 100.
- communications between the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, of the industrial control system 100 includes an authentication process.
- the authentication process can be performed for authenticating control elements/subsystem and/or industrial elements including the sensors and/or actuators and so forth, implemented in the industrial control system 100.
- the authentication process can utilize security credentials associated with the element and/or physical interconnect device for authenticating that element and/or physical interconnect device.
- the security credentials can include encryption keys, certificates (e.g., public key certificates, digital certificates, identity certificates, security certificates, asymmetric certificates, standard certificates, non-standard certificates) and/or identification numbers.
- multiple control elements/subsystems and/or industrial elements of the industrial control system 100 are provisioned with their own unique security credentials.
- each element of the industrial control system 100 may be provisioned with its own unique set(s) of certificates, encryption keys and/or identification numbers when the element is manufactured (e.g., the individual sets of keys and certificates are defined at the birth of the element).
- the sets of certificates, encryption keys and/or identification numbers are configured for providing/supporting strong encryption.
- the encryption keys can be implemented with standard (e.g., commercial off-the-shelf (COTS)) encryption algorithms, such as National Security Agency (NSA) algorithms, National Institute of Standards and Technology (NIST) algorithms, or the like.
- COTS commercial off-the-shelf
- the element being authenticated can be activated, partial functionality of the element can be enabled or disabled within the industrial control system 100, complete functionality of the element can be enabled within the industrial control system 100, and/or functionality of the element within the industrial control system 100 can be completely disabled (e.g., no communication facilitated between that element and other elements of the industrial control system 100).
- the keys, certificates and/or identification numbers associated with an element of the industrial control system 100 can specify the original equipment manufacturer (OEM) of that element.
- OEM original equipment manufacturer
- the term "original equipment manufacturer” or "OEM” can be defined as an entity that physically manufactures the device (e.g., element) and/or a supplier of the device such as an entity that purchases the device from a physical manufacturer and sells the device.
- a device can be manufactured and distributed (sold) by an OEM that is both the physical manufacturer and the supplier of the device.
- a device can be distributed by an OEM that is a supplier, but is not the physical manufacturer.
- the OEM can cause the device to be manufactured by a physical manufacturer (e.g., the OEM can purchase, contract, order, etc. the device from the physical manufacturer).
- the device can bear the brand of the supplier instead of brand of the physical manufacturer.
- an element e.g., a communications/control module 106
- the element's keys, certificates and/or identification numbers can specify that origin.
- limitations can be placed upon communication (e.g., data transfer) between that element and other elements of the industrial control system 100, such that the element cannot work/function within the industrial control system 100.
- this feature can prevent a user of the industrial control system 100 from unknowingly replacing the element with a non-homogenous element (e.g., an element having a different origin (a different OEM) than the remaining elements of the industrial control system 100) and implementing the element in the industrial control system 100.
- a non-homogenous element e.g., an element having a different origin (a different OEM) than the remaining elements of the industrial control system 100
- the techniques described herein can prevent the substitution of elements of other OEM's into a secure industrial control system 100.
- a first reseller can be provided with elements having a first set of physical and cryptographic labels by an originating OEM, and the first reseller's elements can be installed in an industrial control system 100.
- a second reseller can be provided with elements having a second (e.g., different) set of physical and cryptographic labels by the same originating OEM.
- the second reseller's elements may be prevented from operating within the industrial control system 100, since they may not authenticate and operate with the first reseller's elements.
- first reseller and the second reseller may enter into a mutual agreement, where the first and second elements can be configured to authenticate and operate within the same industrial control system 100.
- an agreement between resellers to allow interoperation can also be implemented so the agreement only applies to a specific customer, group of customers, facility, etc.
- a user can attempt to implement an incorrectly designated (e.g., mismarked) element within the industrial control system 100.
- the mismarked element can have a physical indicia marked upon it which falsely indicates that the element is associated with the same OEM as the OEM of the other elements of the industrial control system 100.
- the authentication process implemented by the industrial control system 100 can cause the user to be alerted that the element is counterfeit. This process can also promote improved security for the industrial control system 100, since counterfeit elements are often a vehicle by which malicious software can be introduced into the industrial control system 100.
- the authentication process provides a secure air gap for the industrial control system 100, ensuring that the secure industrial control system is physically isolated from insecure networks.
- the secure industrial control system 100 includes a key management entity 124.
- the key management entity 124 can be configured for managing cryptographic keys (e.g., encryption keys) in a cryptosystem. This managing of cryptographic keys (e.g., key management) can include the generation, exchange, storage, use, and/or replacement of the keys.
- the key management entity 124 is configured to serve as a security credentials source, generating unique security credentials (e.g., public security credentials, secret security credentials) for the elements of the industrial control system 100. Key management pertains to keys at the user and/or system level (e.g., either between users or systems).
- the key management entity 124 comprises a secure entity such as an entity located in a secure facility.
- the key management entity 124 can be remotely located from the I/O modules 104, the communications/control modules 106, and the network 120.
- a firewall 126 can separate the key management entity 124 from the control elements or subsystems 102 and the network 120 (e.g., a corporate network).
- the firewall 126 can be a software and/or hardware-based network security system that controls ingoing and outgoing network traffic by analyzing data packets and determining whether the data packets should be allowed through or not, based on a rule set.
- the firewall 126 thus establishes a barrier between a trusted, secure internal network (e.g., the network 120) and another network 128 that is not assumed to be secure and trusted (e.g., a cloud and/or the Internet).
- the firewall 126 allows for selective (e.g., secure) communication between the key management entity 124 and one or more of the control elements or subsystems 102 and/or the network 120.
- one or more firewalls can be implemented at various locations within the industrial control system 100. For example, firewalls can be integrated into switches and/or workstations of the network 120.
- the secure industrial control system 100 can further include one or more manufacturing entities (e.g., factories 122).
- the manufacturing entities can be associated with original equipment manufacturers (OEMs) for the elements of the industrial control system 100.
- the key management entity 124 can be communicatively coupled with the manufacturing entity via a network (e.g., a cloud).
- a network e.g., a cloud
- the key management entity 124 can be communicatively coupled with (e.g., can have an encrypted communications pipeline to) the elements.
- the key management entity 124 can utilize the communications pipeline for provisioning the elements with security credentials (e.g., inserting keys, certificates and/or identification numbers into the elements) at the point of manufacture.
- the key management entity 124 can be communicatively coupled (e.g., via an encrypted communications pipeline) to each individual element worldwide and can confirm and sign the use of specific code, revoke (e.g., remove) the use of any particular code, and/or enable the use of any particular code.
- the key management entity 124 can communicate with each element at the factory where the element is originally manufactured (e.g., born), such that the element is born with managed keys.
- a master database and/or table including all encryption keys, certificates and/or identification numbers for each element of the industrial control system 100 can be maintained by the key management entity 124.
- the key management entity 124 through its communication with the elements, is configured for revoking keys, thereby promoting the ability of the authentication mechanism to counter theft and re-use of components.
- the key management entity 124 can be communicatively coupled with one or more of the control elements/subsystems, industrial elements, and/or the network 120 via another network (e.g., a cloud and/or the Internet) and firewall.
- the key management entity 124 can be a centralized system or a distributed system.
- the key management entity 124 can be managed locally or remotely.
- the key management entity 124 can be located within (e.g., integrated into) the network 120 and/or the control elements or subsystems 102.
- the key management entity 124 can provide management and/or can be managed in a variety of ways.
- the key management entity 124 can be implemented/managed: by a customer at a central location, by the customer at individual factory locations, by an external third party management company and/or by the customer at different layers of the industrial control system 100, and at different locations, depending on the layer.
- Varying levels of security can be provided by the authentication process.
- a base level of security can be provided which authenticates the elements and protects code within the elements.
- Other layers of security can be added as well.
- security can be implemented to such a degree that a component, such as the communications/control module 106, cannot power up without proper authentication occurring.
- encryption in the code is implemented in the elements, while security credentials (e.g., keys and certificates) are implemented on the elements.
- Security can be distributed (e.g., flows) through the industrial control system 100. For example, security can flow through the industrial control system 100 all the way to an end user, who knows what a module is designed to control in that instance.
- the authentication process provides encryption, identification of devices for secure communication and authentication of system hardware or software components (e.g., via digital signature).
- the authentication process can be implemented to provide for and/or enable interoperability within the secure industrial control system 100 of elements manufactured and/or supplied by different manufacturers/vendors/suppliers (e.g., OEMs). For example, selective (e.g., some) interoperability between elements manufactured and/or supplied by different manufacturers/vendors/suppliers can be enabled.
- unique security credentials e.g., keys
- keys implemented during authentication can form a hierarchy, thereby allowing for different functions to be performed by different elements of the industrial control system 100.
- the communication links connecting the components of the industrial control system 100 can further employ data packets, such as runt packets (e.g., packets smaller than sixty-four (64) bytes), placed (e.g., injected and/or stuffed) therein, providing an added level of security.
- runt packets e.g., packets smaller than sixty-four (64) bytes
- the use of runt packets increases the level of difficulty with which outside information (e.g., malicious content such as false messages, malware (viruses), data mining applications, etc.) can be injected onto the communications links.
- runt packets can be injected onto a communication link within gaps between data packets transmitted between the action originator 204 and the communications/control module 106 or any other industrial element/controller 206 to hinder an external entity's ability to inject malicious content onto the communication link.
- any of the functions described herein can be implemented using hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, manual processing, or a combination thereof.
- the blocks discussed in the above disclosure generally represent hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, or a combination thereof.
- the various blocks discussed in the above disclosure may be implemented as integrated circuits along with other functionality. Such integrated circuits may include all of the functions of a given block, system, or circuit, or a portion of the functions of the block, system, or circuit. Further, elements of the blocks, systems, or circuits may be implemented across multiple integrated circuits.
- Such integrated circuits may comprise various integrated circuits, including, but not necessarily limited to: a monolithic integrated circuit, a flip chip integrated circuit, a multichip module integrated circuit, and/or a mixed signal integrated circuit.
- the various blocks discussed in the above disclosure represent executable instructions (e.g., program code) that perform specified tasks when executed on a processor. These executable instructions can be stored in one or more tangible computer readable media.
- the entire system, block, or circuit may be implemented using its software or firmware equivalent.
- one part of a given system, block, or circuit may be implemented in software or firmware, while other parts are implemented in hardware.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Programmable Controllers (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
Description
- The present application is a continuation-in-part of International Application No.
PCT/US2013/053721, filed August 6, 2013 , and titled, "SECURE INDUSTRIAL CONTROL SYSTEM." The present application is also a continuation-in-part under 35U.S.C. § 120 ofU.S. Patent Application Serial No. 14/469,931, filed August 27, 2014 U.S. Patent Application Serial No. 14/446,412, filed July 30, 2014 U.S. Provisional Application Serial No. 62/021,438, filed July 7, 2014 U.S. Provisional Application Serial No. 62/021,438 U.S. Patent Application Serial Nos. 14/446,412 and14/469,931 PCT/US2013/053721 are herein incorporated by reference in their entireties. - Industrial control systems, such as standard industrial control systems (ICS) or programmable automation controllers (PAC), include various types of control equipment used in industrial production, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), programmable logic controllers (PLC), and industrial safety systems certified to safety standards such as IEC1508. These systems are used in industries including electrical, water and wastewater, oil and gas production and refining, chemical, food, pharmaceuticals and robotics. Using information collected from various types of sensors to measure process variables, automated and/or operator-driven supervisory commands from the industrial control system can be transmitted to various actuator devices such as control valves, hydraulic actuators, magnetic actuators, electrical switches, motors, solenoids, and the like. These actuator devices collect data from sensors and sensor systems, open and close valves and breakers, regulate valves and motors, monitor the industrial process for alarm conditions, and so forth.
- In other examples, SCADA systems can use open-loop control with process sites that may be widely separated geographically. These systems use Remote Terminal Units (RTUs) to send supervisory data to one or more control centers. SCADA applications that deploy RTU's include fluid pipelines, electrical distribution and large communication systems. DCS systems are generally used for real-time data collection and continuous control with high-bandwidth, low-latency data networks and are used in large campus industrial process plants, such as oil and gas, refining, chemical, pharmaceutical, food and beverage, water and wastewater, pulp and paper, utility power, and mining and metals. PLCs more typically provide Boolean and sequential logic operations, and timers, as well as continuous control and are often used in stand-alone machinery and robotics. Further, ICE and PAC systems can be used in facility processes for buildings, airports, ships, space stations, and the like (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption). As industrial control systems evolve, new technologies are combining aspects of these various types of control systems. For instance, PACs can include aspects of SCADA, DCS, and PLCs.
- According to various embodiments of this disclosure, a secure industrial control system includes one or more communications/control modules that control or drive one or more industrial elements (e.g., input/output (I/O) modules, power modules, field devices, switches, workstations, and/or physical interconnect devices). Operator actions and/or other commands or requests can be secured via an authentication path from an action originator to a communications/control module. In implementations, the industrial control system requires an action authenticator to sign an action request generated by the action originator. The destination communications/control module is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In this manner, malicious or otherwise unauthorized action requests are not processed, and thus the system is protected from malware, spyware, unauthorized changes of control parameters, unauthorized access to data, and so forth.
- In some embodiments, the communications/control module includes at least one processor and a non-transitory medium bearing a set of instructions executable by the processor. The set of instructions includes at least instructions to: receive an action request initiated by an action originator and signed by an action authenticator; verify the authenticity of the signed action request; and perform a requested action when the authenticity of the signed action request is verified.
- Further, a method of authenticating a requested action is disclosed. The method includes: signing an action request with an action authenticator; sending the signed action request to a communications/control module; verifying the authenticity of the signed action request; and performing a requested action with the communications/control module when the authenticity of the signed action request is verified.
- This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. (This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.)
- The Detailed Description is described with reference to the accompanying figures. The use of the same reference numbers in different instances in the description and the figures may indicate similar or identical items.
-
FIG. 1 is a block diagram illustrating an industrial control system in accordance with example embodiments of the present disclosure. -
FIG. 2 is a block diagram illustrating an action authentication path for the industrial control system in accordance with example embodiments of the present disclosure. -
FIG. 3 is a block diagram further illustrating the action authentication path in accordance with example embodiments of the present disclosure. -
FIG. 4 is a flow diagram illustrating a method of authenticating an action request in accordance with example embodiments of the present disclosure. -
FIG. 5 is a flow diagram further illustrating the method of authenticating the action request in accordance with example embodiments of the present disclosure. - In industrial control systems, various industrial elements/subsystems (e.g., input/output (I/O) modules, power modules, process sensors and/or actuators, switches, workstations, and/or physical interconnect devices) are controlled or driven by control elements/subsystems (e.g., one or more communications/control modules). The control elements/subsystems operate according to programming and action requests (e.g., executable software modules, control commands, data requests, and the like) received from an action originator such as, but not limited to: an operator interface (e.g., SCADA or human machine interface (HMI)), an engineering interface, a local application, and/or a remote application. Where multiple action originators are present, the industrial control system can be vulnerable to unauthorized access to data and/or controls. Further, the industrial control system can be vulnerable to malware, spyware, or other corrupt/malicious software that can be transmitted in the form of an update, application image, control command, or the like. Simply authenticating the operator may not be enough to secure the system from malicious actors or even unintentionally unauthorized requests/commands that can be originated via a valid login or a seemingly valid (e.g., hacked) application or operator/engineering interface.
- The present disclosure is directed to industrial control system communications/control modules, subsystems and techniques for preventing unauthorized action requests from being processed in an industrial control system. In embodiments, a predefined selection of operations or all operator actions and/or other control actions or requests are secured via an authentication path from an action originator to a communications/control module. In implementations, the industrial control system requires an action authenticator to sign an action request generated by the action originator. Unsigned action requests may automatically result in an error and will not be processed or executed by the communications/control module. The communications/control module is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In this manner, malicious or otherwise unauthorized action requests are not processed, and thus the system is protected from malware, spyware, unauthorized changes of control parameters, unauthorized access to data, and so forth.
-
FIG. 1 illustrates anindustrial control system 100 in accordance with an example embodiment of the present disclosure. In embodiments, theindustrial control system 100 may comprise an industrial control system (ICS), a programmable automation controller (PAC), a supervisory control and data acquisition (SCADA) system, a distributed control system (DCS), programmable logic controller (PLC), and industrial safety system certified to safety standards such as IEC1508, or the like. As shown inFIG. 1 , theindustrial control system 100 uses a communications control architecture to implement a distributed control system that includes one or more industrial elements (e.g., input/output modules, power modules, field devices, switches, workstations, and/or physical interconnect devices) that are controlled or driven by one or more control elements orsubsystems 102 distributed throughout the system. For example, one or more I/O modules 104 may be connected to one or more communications/control modules 106 making up the control element/subsystem 102. Theindustrial control system 100 is configured to transmit data to and from the I/O modules 104. The I/O modules 104 can comprise input modules, output modules, and/or input and output modules. For instance, input modules can be used to receive information from input devices 130 (e.g., sensors) in the process, while output modules can be used to transmit instructions to output devices (e.g., actuators). For example, an I/O module 104 can be connected to a process sensor for measuring pressure in piping for a gas plant, a refinery, and so forth and/or connected to a process actuator for controlling a valve, binary or multiple state switch, transmitter, or the like.Field devices 130 are communicatively coupled with theIO modules 104 either directly or via network connections. Thesedevices 130 can include control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like. - In implementations, the I/
O modules 104 can be used theindustrial control system 100 collect data in applications including, but not necessarily limited to critical infrastructure and/or industrial processes, such as product manufacturing and fabrication, utility power generation, oil, gas, and chemical refining; pharmaceuticals, food and beverage, pulp and paper, metals and mining and facility and large campus industrial processes for buildings, airports, ships, and space stations (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption). - In implementations, an I/
O module 104 can be configured to convert analog data received from the sensor to digital data (e.g., using Analog-to-Digital Converter (ADC) circuitry, and so forth). An I/O module 104 can also be connected to one or more process actuators such as a motor or a regulating valve or an electrical relay and other forms of actuators and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, or position of the regulating valve or state of the electrical relay and so forth. Further, the I/O module 104 can be configured to convert digital data to analog data for transmission to the actuator (e.g., using Digital-to-Analog (DAC) circuitry, and so forth). In implementations, one or more of the I/O modules 104 can comprise a communications module configured for communicating via a communications sub-bus, such as an Ethernet bus, an H1 field bus, a Process Field Bus (PROFIBUS), a Highway Addressable Remote Transducer (HART) bus, a Modbus, and so forth. Further, two or more I/O modules 104 can be used to provide fault tolerant and redundant connections forvarious field devices 130 such as control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like. - Each I/
O module 104 can be provided with a unique identifier (ID) for distinguishing one I/O module 104 from another I/O module 104. In implementations, an I/O module 104 is identified by its ID when it is connected to theindustrial control system 100. Multiple I/O modules 104 can be used with theindustrial control 100 to provide redundancy. For example, two or more I/O modules 104 can be connected to a process sensor and/or actuator. Each I/O module 104 can include one or more ports that furnish a physical connection to hardware and circuitry included with the I/O module 104, such as a printed circuit board (PCB), and so forth. For example, each I/O module 104 includes a connection for a cable that connects the cable to a printed wiring board (PWB) in the I/O module 104. - One or more of the I/
O modules 104 can include an interface for connecting to other networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a Global System for Mobile communications (GSM) network; a wireless computer communications network, such as a Wi-Fi network (e.g., a Wireless LAN (WLAN) operated using IEEE 802.11 network standards); a Personal Area Network (PAN) (e.g., a Wireless PAN (WPAN) operated using IEEE 802.15 network standards); a Wide Area Network (WAN); an intranet; an extranet; an internet; the Internet; and so on. Further, one or more of the I/O modules 104 can include a connection for connecting an I/O module 104 to a computer bus, and so forth. - The communications/
control modules 106 can be used to monitor and control the I/O modules 104, and to connect two or more I/O modules 104 together. In embodiments of the disclosure, a communications/control module 106 can update a routing table when an I/O module 104 is connected to theindustrial control system 100 based upon a unique ID for the I/O module 104. Further, when multiple redundant I/O modules 104 are used, each communications/control module 106 can implement mirroring of informational databases regarding the I/O modules 104 and update them as data is received from and/or transmitted to the I/O modules 104. In some embodiments, two or more communications/control module 106 are used to provide redundancy. For added security, the communications/control module 106 can be configured to perform an authentication sequence or handshake to authenticate one another at predefined events or times including such as startup, reset, installation of anew control module 106, replacement of a communications/control module 106, periodically, scheduled times, and the like. - As shown in
FIGS. 2 and3 , each communications/control module 106 or any other industrial element/controller 206 (e.g., I/O module 104,field device 130 such as an actuator or sensor, physical interconnect device, switch,power module 112, or the like) can be at least partially operated according to requests/commands from anaction originator 202. In implementations, theaction originator 202 includes an operator interface 208 (e.g., SCADA or HMI), anengineering interface 210 including aneditor 212 and acompiler 214, alocal application 220, a remote application 216 (e.g., communicating through anetwork 218 via a local application 220), or the like. In theauthentication path 200 illustrated inFIGS. 2 and3 , the industrial element/controller 206 (e.g., communications/control module 106, I/O module 104,field device 130 such as an actuator or sensor, physical interconnect device, switch,power module 112, or the like) processes an action request (e.g., request for data, control command, firmware/software update, set point control, application image download, or the like) only when the action request has been signed and/or encrypted by anaction authenticator 204. This prevents unauthorized action requests from valid user profiles and further secures the system from unauthorized action requests coming from invalid (e.g., hacked) profiles. - The
action authenticator 204 can either be on-site with the action originator 202 (e.g., directly connected device lifecycle management system ("DLM") 222 or secured workstation 226) or remotely located (e.g.,DLM 222 connected via the network 218). In general, theaction authenticator 204 includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by theaction originator 202 with the private key. The private key is stored in a memory that cannot be accessed via standard operator login. For instance, thesecured workstation 226 can require a physical key, portable encryption device (e.g., smart card, RFID tag, or the like), and/or biometric input for access. - In some embodiments, the
action authenticator 204 includes a portable encryption device such as a smart card 224 (which can include a secured microprocessor). The advantage of using a portable encryption device is that the entire device (including the privately stored key and processor in communication therewith) can be carried with an operator or user that has authorized access to an interface of theaction originator 202. Whether theaction authentication node 204 accesses theauthentication path 200 via secured or unsecured workstation, the action request from theaction originator 202 can be securely signed and/or encrypted within the architecture of the portable encryption device instead of a potentially less secure workstation or cloud-based architecture. This secures theindustrial control system 100 from unauthorized actions. For instance, an unauthorized person would have to physically take possession of thesmart card 224 before being able to authenticate any action requests sent via theaction originator 202. - Furthermore, multiple layers of security can be employed. For example, the
action authenticator 204 can include asecured workstation 226 that is only accessible to sign and/or encrypt action requests via smart card access or the like. Additionally, thesecured workstation 226 can be accessible via a biometric or multifactor cryptography device 228 (e.g., fingerprint scanner, iris scanner, and/or facial recognition device). In some embodiments, amultifactor cryptography device 228 requires a valid biometric input before enabling thesmart card 224 or other portable encryption device to sign the action request. - The communications/
control module 106 or any other industrial element/controller 206 being driven by theaction originator 202 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In some embodiments, the industrial element/controller 206 includes a storage medium 230 (e.g., SD/micro-SD card, HDD, SSD, or any other non-transitory storage device) configured to store the action request (e.g., application image, control command, and/or any other data sent by the action originator). The communications/control module 106 or any other industrial element/controller 206 further includes aprocessor 232 that performs/executes the action request (i.e., performs the requested action) after the signature is verified. In some embodiments, the action request is encrypted by theaction originator 202 and/or theaction authenticator 232 and must also be decrypted by theprocessor 232 before the requested action can be performed. In implementations, the communications/control module 106 or any other industrial element/controller 206 includes a virtual key switch 234 (e.g., a software module running on the processor 232) that enables theprocessor 232 to perform the requested action only after the action request signature is verified and/or after the action request is decrypted. In some embodiments, each and every action or each one of a selection of critical actions must clear the authentication path before being run on the communications/control module 106 or any other industrial element/controller 206. -
FIGS. 4 and5 illustrate amethod 300 of authenticating an action request in accordance with exemplary embodiments of this disclosure. In implementations, themethod 300 can be manifested by theindustrial control system 100 and/orauthentication path 200 of theindustrial control system 100. Themethod 300 includes: (302) originating an action request (e.g., via an operator/engineering interface 208/210 or a remote/local application interface 216/220); (304) signing the action request with theaction authenticator 204; (312) optionally encrypting the action request with theaction authenticator 204; (306) sending or downloading the signed action request to a communications/control module 106 or any other industrial element/controller 206; (308) verifying the authenticity of the signed action request; (314) optionally decrypting the action request with the communications/control module 106 or any other industrial element/controller 206; and (310) performing a requested action with the communications/control module 106 or any other industrial element/controller 206 when the authenticity of the signed action request is verified. - For enhanced security, the communications/
control module 106 or any other industrial element/controller 206 can be further configured to perform an authentication sequence with the action authenticator 204 (e.g., with asmart card 224 or the like) before the requested action is run by the communications/control module 106 or any other industrial element/controller 206. For example, the so-called "handshake" can be performed prior to step 310 or even prior to step 306. In some embodiments, the signature andverification steps - In some embodiments, the authentication sequence implemented by the communications/
control module 106 or any other industrial element/controller 206 can include: sending a request datagram to theaction authenticator 204, the request datagram including a first nonce, a first device authentication key certificate (e.g., a first authentication certificate that contains a device authentication key), and a first identity attribute certificate; receiving a response datagram from theaction authenticator 204, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate (e.g., a second authentication certificate that contains a device authentication key), and a second identity attribute certificate; validating the response datagram by verifying the first signature associated with the first and second nonces, the second device authentication key certificate, and the second identity attribute certificate; and sending an authentication datagram to theaction authenticator 204 when the response datagram is valid, the authentication datagram including a second signature associated with the first and second nonces. - Alternatively, the
action authenticator 204 can initiate the handshake, in which case the authentication sequence implemented by the communications/control module 106 or any other industrial element/controller 206 can include: receiving a request datagram from theaction authenticator 204, the request datagram including a first nonce, a first device authentication key certificate, and a first identity attribute certificate; validating the request datagram by verifying the first device authentication key certificate and the first identity attribute certificate; sending a response datagram to theaction authenticator 204 when the request datagram is valid, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate, and a second identity attribute certificate; receiving an authentication datagram from theaction authenticator 204, the authentication datagram including a second signature associated with the first and second nonces; and validating the authentication datagram by verifying the second signature associated with the first and second nonces. - The handshake or authentication sequence that can be implemented by the communications/
control module 106 or any other industrial element/controller 206 and theaction authenticator 204 is further described in co-pending U.S. Non-provisional Application Serial No. [Not Yet Assigned], titled "INDUSTRIAL CONTROL SYSTEM REDUNDANT COMMUNIATIONS/CONTROL MODULES AUTHENTICATION," By Timothy Clish et al., filed October 20, 2014, fully incorporated herein by reference. Those skilled in the art will appreciate the applicability of the handshake between redundant communications/control modules 106 to the handshake described herein between the communications/control module 106 or any other industrial element/controller 206 and theaction authenticator 204. - Each of the
action originator 202, theaction authenticator 204, and communications/control module 106 or any other industrial element/controller 206 can include circuitry and/or logic enabled to perform the functions or operations (e.g., blocks ofmethod 300 and the authentication sequence) described herein. For example, each of theaction originator 202, theaction authenticator 204, and the communications/control module 106 or any other industrial element/controller 206 can include one or more processors that execute program instruction stored permanently, semi-permanently, or temporarily by a non-transitory machine readable medium such as, but not limited to: a hard disk drive (HDD), solid-state disk (SDD), optical disk, magnetic storage device, flash drive, or SD/micro-SD card. - Referring again to
FIG. 1 , data transmitted by theindustrial control system 100 can be packetized, i.e., discrete portions of the data can be converted into data packets comprising the data portions along with network control information, and so forth. Theindustrial control system 100 can use one or more protocols for data transmission, including a bit-oriented synchronous data link layer protocol such as High-Level Data Link Control (HDLC). In some embodiments, theindustrial control system 100 implements HDLC according to an International Organization for Standardization (ISO) 13239 standard, or the like. Further, two or more communications/control modules 106 can be used to implement redundant HDLC. However, it should be noted that HDLC is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, theindustrial control system 100 can use other various communications protocols in accordance with the present disclosure. - One or more of the communications/
control module 106 can be configured for exchanging information with components used for monitoring and/or controlling the field devices 130 (e.g., sensor and/or actuator instrumentation) connected to theindustrial control system 100 via the I/O modules 104, such as one or more control loop feedback mechanisms/controllers. In implementations, a controller can be configured as a microcontroller/Programmable Logic Controller (PLC), a Proportional-Integral-Derivative (PID) controller, and so forth. In some embodiments, the I/O modules 104 and the communications/control modules 106 include network interfaces, e.g., for connecting one or more I/O modules 104 to one or more controllers via a network. In implementations, a network interface can be configured as a Gigabit Ethernet interface for connecting the I/O modules 104 to a Local Area Network (LAN). Further, two or more communications/control modules 106 can be used to implement redundant Gigabit Ethernet. However, it should be noted that Gigabit Ethernet is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, a network interface can be configured for connecting the communications/control modules 106 to other various networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a GSM network; a wireless computer communications network, such as a Wi-Fi network (e.g., a WLAN operated using IEEE 802.11 network standards); a PAN (e.g., a WPAN operated using IEEE 802.15 network standards); a WAN; an intranet; an extranet; an internet; the Internet; and so on. Additionally, a network interface can be implemented using a computer bus. For example, a network interface can include a Peripheral Component Interconnect (PCI) card interface, such as a Mini PCI interface, and so forth. Further, the network can be configured to include a single network or multiple networks across different access points. - The
industrial control system 100 can receive electrical power from multiple sources. For example, AC power is supplied from a power grid 108 (e.g., using high voltage power from AC mains). AC power can also be supplied using local power generation (e.g., an on-site turbine or diesel local power generator 110). Apower supply 112 is used to distribute electrical power from thepower grid 108 to automation equipment of theindustrial control system 100, such as controllers, I/O modules, and so forth. Apower supply 112 can also be used to distribute electrical power from thelocal power generator 110 to the industrial control system equipment. Theindustrial control system 100 can also include additional (backup) power supplies configured to store and return DC power using multiple battery modules. For example, apower supply 112 functions as a UPS. In embodiments of the disclosure,multiple power supplies 112 can be distributed (e.g., physically decentralized) within theindustrial control system 100. - In some embodiments, the control elements/subsystems and/or industrial elements (e.g., the I/
O modules 104, the communications/control modules 106, the power supplies 112, and so forth) are connected together by one ormore backplanes 114. For example, communications/control modules 106 can be connected to I/O modules 104 by acommunications backplane 116. Further,power supplies 112 can be connected to I/O modules 104 and/or to communications/control modules 106 by apower backplane 118. In some embodiments, physical interconnect devices (e.g., switches, connectors, or cables such as, but not limited to, those described inU.S. Non-provisional Application Serial No. 14/446,412 ) are used to connect to the I/O modules 104, the communications/control modules 106, the power supplies 112, and possibly other industrial control system equipment. For example, a cable can be used to connect a communications/control module 106 to anetwork 120, another cable can be used to connect apower supply 112 to apower grid 108, another cable can be used to connect apower supply 112 to alocal power generator 110, and so forth. - In some embodiments, the
industrial control system 100 implements a secure control system. For example, theindustrial control system 100 includes a security credential source (e.g., a factory 122) and a security credential implementer (e.g., a key management entity 124). The security credential source is configured to generate a unique security credential (e.g., a key, a certificate, etc., such as a unique identifier, and/or a security credential). The security credential implementer is configured to provision the control elements/subsystems and/or industrial elements (e.g., cables,devices 130, I/O modules 104, communications/control modules 106,power supplies 112, and so forth) with a unique security credential generated by the security credential source. - Multiple (e.g., every)
device 130, I/O module 104, communications/control module 106,power supply 112, physical interconnect devices, etc., of theindustrial control system 100 can be provisioned with security credentials for providing security at multiple (e.g., all) levels of theindustrial control system 100. Still further, the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, can be provisioned with the unique security credentials (e.g., keys, certificates, etc.) during manufacture (e.g., at birth), and can be managed from birth by akey management entity 124 of theindustrial control system 100 for promoting security of theindustrial control system 100. - In some embodiments, communications between the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, of the
industrial control system 100 includes an authentication process. The authentication process can be performed for authenticating control elements/subsystem and/or industrial elements including the sensors and/or actuators and so forth, implemented in theindustrial control system 100. Further, the authentication process can utilize security credentials associated with the element and/or physical interconnect device for authenticating that element and/or physical interconnect device. For example, the security credentials can include encryption keys, certificates (e.g., public key certificates, digital certificates, identity certificates, security certificates, asymmetric certificates, standard certificates, non-standard certificates) and/or identification numbers. - In implementations, multiple control elements/subsystems and/or industrial elements of the
industrial control system 100 are provisioned with their own unique security credentials. For example, each element of theindustrial control system 100 may be provisioned with its own unique set(s) of certificates, encryption keys and/or identification numbers when the element is manufactured (e.g., the individual sets of keys and certificates are defined at the birth of the element). The sets of certificates, encryption keys and/or identification numbers are configured for providing/supporting strong encryption. The encryption keys can be implemented with standard (e.g., commercial off-the-shelf (COTS)) encryption algorithms, such as National Security Agency (NSA) algorithms, National Institute of Standards and Technology (NIST) algorithms, or the like. - Based upon the results of the authentication process, the element being authenticated can be activated, partial functionality of the element can be enabled or disabled within the
industrial control system 100, complete functionality of the element can be enabled within theindustrial control system 100, and/or functionality of the element within theindustrial control system 100 can be completely disabled (e.g., no communication facilitated between that element and other elements of the industrial control system 100). - In embodiments, the keys, certificates and/or identification numbers associated with an element of the
industrial control system 100 can specify the original equipment manufacturer (OEM) of that element. As used herein, the term "original equipment manufacturer" or "OEM" can be defined as an entity that physically manufactures the device (e.g., element) and/or a supplier of the device such as an entity that purchases the device from a physical manufacturer and sells the device. Thus, in embodiments, a device can be manufactured and distributed (sold) by an OEM that is both the physical manufacturer and the supplier of the device. However, in other embodiments, a device can be distributed by an OEM that is a supplier, but is not the physical manufacturer. In such embodiments, the OEM can cause the device to be manufactured by a physical manufacturer (e.g., the OEM can purchase, contract, order, etc. the device from the physical manufacturer). - Additionally, where the OEM comprises a supplier that is not the physical manufacturer of the device, the device can bear the brand of the supplier instead of brand of the physical manufacturer. For example, in embodiments where an element (e.g., a communications/control module 106) is associated with a particular OEM that is a supplier but not the physical manufacturer, the element's keys, certificates and/or identification numbers can specify that origin. During authentication of an element of the
industrial control system 100, when a determination is made that an element being authenticated was manufactured or supplied by an entity that is different than the OEM of one or more other elements of theindustrial control system 100, then the functionality of that element can be at least partially disabled within theindustrial control system 100. For example, limitations can be placed upon communication (e.g., data transfer) between that element and other elements of theindustrial control system 100, such that the element cannot work/function within theindustrial control system 100. When one of the elements of theindustrial control system 100 requires replacement, this feature can prevent a user of theindustrial control system 100 from unknowingly replacing the element with a non-homogenous element (e.g., an element having a different origin (a different OEM) than the remaining elements of the industrial control system 100) and implementing the element in theindustrial control system 100. In this manner, the techniques described herein can prevent the substitution of elements of other OEM's into a secureindustrial control system 100. In one example, the substitution of elements that furnish similar functionality in place of elements provided by an originating OEM can be prevented, since the substituted elements cannot authenticate and operate within the originating OEM's system. In another example, a first reseller can be provided with elements having a first set of physical and cryptographic labels by an originating OEM, and the first reseller's elements can be installed in anindustrial control system 100. In this example, a second reseller can be provided with elements having a second (e.g., different) set of physical and cryptographic labels by the same originating OEM. In this example, the second reseller's elements may be prevented from operating within theindustrial control system 100, since they may not authenticate and operate with the first reseller's elements. However, it should also be noted that the first reseller and the second reseller may enter into a mutual agreement, where the first and second elements can be configured to authenticate and operate within the sameindustrial control system 100. Further, in some embodiments, an agreement between resellers to allow interoperation can also be implemented so the agreement only applies to a specific customer, group of customers, facility, etc. - In another instance, a user can attempt to implement an incorrectly designated (e.g., mismarked) element within the
industrial control system 100. For example, the mismarked element can have a physical indicia marked upon it which falsely indicates that the element is associated with the same OEM as the OEM of the other elements of theindustrial control system 100. In such instances, the authentication process implemented by theindustrial control system 100 can cause the user to be alerted that the element is counterfeit. This process can also promote improved security for theindustrial control system 100, since counterfeit elements are often a vehicle by which malicious software can be introduced into theindustrial control system 100. In embodiments, the authentication process provides a secure air gap for theindustrial control system 100, ensuring that the secure industrial control system is physically isolated from insecure networks. - In implementations, the secure
industrial control system 100 includes akey management entity 124. Thekey management entity 124 can be configured for managing cryptographic keys (e.g., encryption keys) in a cryptosystem. This managing of cryptographic keys (e.g., key management) can include the generation, exchange, storage, use, and/or replacement of the keys. For example, thekey management entity 124 is configured to serve as a security credentials source, generating unique security credentials (e.g., public security credentials, secret security credentials) for the elements of theindustrial control system 100. Key management pertains to keys at the user and/or system level (e.g., either between users or systems). - In embodiments, the
key management entity 124 comprises a secure entity such as an entity located in a secure facility. Thekey management entity 124 can be remotely located from the I/O modules 104, the communications/control modules 106, and thenetwork 120. For example, afirewall 126 can separate thekey management entity 124 from the control elements orsubsystems 102 and the network 120 (e.g., a corporate network). In implementations, thefirewall 126 can be a software and/or hardware-based network security system that controls ingoing and outgoing network traffic by analyzing data packets and determining whether the data packets should be allowed through or not, based on a rule set. Thefirewall 126 thus establishes a barrier between a trusted, secure internal network (e.g., the network 120) and anothernetwork 128 that is not assumed to be secure and trusted (e.g., a cloud and/or the Internet). In embodiments, thefirewall 126 allows for selective (e.g., secure) communication between thekey management entity 124 and one or more of the control elements orsubsystems 102 and/or thenetwork 120. In examples, one or more firewalls can be implemented at various locations within theindustrial control system 100. For example, firewalls can be integrated into switches and/or workstations of thenetwork 120. - The secure
industrial control system 100 can further include one or more manufacturing entities (e.g., factories 122). The manufacturing entities can be associated with original equipment manufacturers (OEMs) for the elements of theindustrial control system 100. Thekey management entity 124 can be communicatively coupled with the manufacturing entity via a network (e.g., a cloud). In implementations, when the elements of theindustrial control system 100 are being manufactured at one or more manufacturing entities, thekey management entity 124 can be communicatively coupled with (e.g., can have an encrypted communications pipeline to) the elements. Thekey management entity 124 can utilize the communications pipeline for provisioning the elements with security credentials (e.g., inserting keys, certificates and/or identification numbers into the elements) at the point of manufacture. - Further, when the elements are placed into use (e.g., activated), the
key management entity 124 can be communicatively coupled (e.g., via an encrypted communications pipeline) to each individual element worldwide and can confirm and sign the use of specific code, revoke (e.g., remove) the use of any particular code, and/or enable the use of any particular code. Thus, thekey management entity 124 can communicate with each element at the factory where the element is originally manufactured (e.g., born), such that the element is born with managed keys. A master database and/or table including all encryption keys, certificates and/or identification numbers for each element of theindustrial control system 100 can be maintained by thekey management entity 124. Thekey management entity 124, through its communication with the elements, is configured for revoking keys, thereby promoting the ability of the authentication mechanism to counter theft and re-use of components. - In implementations, the
key management entity 124 can be communicatively coupled with one or more of the control elements/subsystems, industrial elements, and/or thenetwork 120 via another network (e.g., a cloud and/or the Internet) and firewall. For example, in embodiments, thekey management entity 124 can be a centralized system or a distributed system. Moreover, in embodiments, thekey management entity 124 can be managed locally or remotely. In some implementations, thekey management entity 124 can be located within (e.g., integrated into) thenetwork 120 and/or the control elements orsubsystems 102. Thekey management entity 124 can provide management and/or can be managed in a variety of ways. For example, thekey management entity 124 can be implemented/managed: by a customer at a central location, by the customer at individual factory locations, by an external third party management company and/or by the customer at different layers of theindustrial control system 100, and at different locations, depending on the layer. - Varying levels of security (e.g., scalable, user-configured amounts of security) can be provided by the authentication process. For example, a base level of security can be provided which authenticates the elements and protects code within the elements. Other layers of security can be added as well. For example, security can be implemented to such a degree that a component, such as the communications/
control module 106, cannot power up without proper authentication occurring. In implementations, encryption in the code is implemented in the elements, while security credentials (e.g., keys and certificates) are implemented on the elements. Security can be distributed (e.g., flows) through theindustrial control system 100. For example, security can flow through theindustrial control system 100 all the way to an end user, who knows what a module is designed to control in that instance. In embodiments, the authentication process provides encryption, identification of devices for secure communication and authentication of system hardware or software components (e.g., via digital signature). - In implementations, the authentication process can be implemented to provide for and/or enable interoperability within the secure
industrial control system 100 of elements manufactured and/or supplied by different manufacturers/vendors/suppliers (e.g., OEMs). For example, selective (e.g., some) interoperability between elements manufactured and/or supplied by different manufacturers/vendors/suppliers can be enabled. In embodiments, unique security credentials (e.g., keys) implemented during authentication can form a hierarchy, thereby allowing for different functions to be performed by different elements of theindustrial control system 100. - The communication links connecting the components of the
industrial control system 100 can further employ data packets, such as runt packets (e.g., packets smaller than sixty-four (64) bytes), placed (e.g., injected and/or stuffed) therein, providing an added level of security. The use of runt packets increases the level of difficulty with which outside information (e.g., malicious content such as false messages, malware (viruses), data mining applications, etc.) can be injected onto the communications links. For example, runt packets can be injected onto a communication link within gaps between data packets transmitted between theaction originator 204 and the communications/control module 106 or any other industrial element/controller 206 to hinder an external entity's ability to inject malicious content onto the communication link. - Generally, any of the functions described herein can be implemented using hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, manual processing, or a combination thereof. Thus, the blocks discussed in the above disclosure generally represent hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, or a combination thereof. In the instance of a hardware configuration, the various blocks discussed in the above disclosure may be implemented as integrated circuits along with other functionality. Such integrated circuits may include all of the functions of a given block, system, or circuit, or a portion of the functions of the block, system, or circuit. Further, elements of the blocks, systems, or circuits may be implemented across multiple integrated circuits. Such integrated circuits may comprise various integrated circuits, including, but not necessarily limited to: a monolithic integrated circuit, a flip chip integrated circuit, a multichip module integrated circuit, and/or a mixed signal integrated circuit. In the instance of a software implementation, the various blocks discussed in the above disclosure represent executable instructions (e.g., program code) that perform specified tasks when executed on a processor. These executable instructions can be stored in one or more tangible computer readable media. In some such instances, the entire system, block, or circuit may be implemented using its software or firmware equivalent. In other instances, one part of a given system, block, or circuit may be implemented in software or firmware, while other parts are implemented in hardware.
- Although the subject matter has been described in language specific to structural features and/or process operations, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
The disclosure of this application also includes the following numbered clauses: - 1. A secure industrial control system, comprising:
- an action originator;
- an action authenticator configured to sign an action request generated by the action originator; and
- a communications/control module in communication with one or more industrial elements, the communications/control module being configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.
- 2. The industrial control system of clause 1, wherein the action originator comprises at least one of: an operator interface; an engineering interface; a local application interface; or a remote application interface.
- 3. The secure industrial control system of clause 1 or clause 2, wherein the action authenticator comprises a portable encryption device, preferably comprising a smart card, including:
- a storage medium with a private key stored thereon; and
- a processor, preferably comprising an encrypted microprocessor, configured to sign the action request with the private key.
- 4. The secure industrial control system of any of clauses 1 to 3, wherein the action authenticator comprises a secured workstation; preferably wherein the secured workstation is accessible via at least one of: a physical key; a portable encryption device; or a biometric cryptography device.
- 5. The secure industrial control system of any of clauses 1 to 4, wherein the action authenticator comprises a device lifecycle management system.
- 6. The secure industrial control system of any of clauses 1 to 5, wherein the action authenticator is further configured to encrypt the action request.
- 7. The secure industrial control system of any of clauses 1 to 6, wherein the communications/control module incudes:
- a processor; and
- a virtual key switch that enables the processor to run the action request when the authenticity of the signed action request is verified.
- 8. The secure industrial control system of any of clauses 1 to 7, wherein the communications/control module and the action authenticator are further configured to perform an authentication sequence.
- 9. The secure industrial control system of any one of clauses 1 to 8, wherein the one or more industrial elements include at least one of: a communications/control module; an input/output module; a power module; a field device; a switch; a workstation; or a physical interconnect device.
- 10. A communications/control module, comprising:
- at least one processor; and
- a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to:
- receive an action request initiated by an action originator and signed by an action authenticator;
- verify the authenticity of the signed action request; and
- perform a requested action when the authenticity of the signed action request is verified.
- 11. The communications/control module of clause 10, further comprising:
a virtual key switch that enables the processor to run the action request when the authenticity of the signed action request is verified. - 12. The communications/control module of clause 10 or clause 11, wherein the set of instructions further includes instructions to decrypt the signed action request; and/or wherein the instructions to perform the requested action when the authenticity of the signed action request is verified include:
instructions to control a communicatively coupled industrial element including at least one of: a communications/control module; an input/output module; a power module; a field device; a switch; a workstation; or a physical interconnect device. - 13. A method of authenticating a requested action, comprising:
- signing an action request with an action authenticator;
- sending the signed action request to a communications/control module;
- verifying the authenticity of the signed action request; and
- performing a requested action with the communications/control module when the authenticity of the signed action request is verified; and preferably further comprising:
- encrypting the action request with the action authenticator; and
- decrypting the action request with the communications/control module.
- 14. The method of clause 13, wherein the action authenticator comprises at least one of: a portable encryption device, preferably as defined in clause 3; a secured workstation, preferably as defined in clause 4; or a device lifecycle management system.
- 15. The method of clause 13 or clause 14, wherein performing the requested action with the communications/control module when the authenticity of the signed action request is verified includes:
controlling an industrial element according to the action request, the industrial element including at least one of: a communications/control module; an input/output module; a power module; a field device; a switch; a workstation; or a physical interconnect device.
Claims (15)
- A secure industrial control system, comprising:an action originator and a communications/control module configured to be at least partially operated according to action requests from the action originator;an action authenticator remotely located from the action originator and including a storage medium with a private key stored thereon and a processor configured to sign an action request from the action originator with the private key and send the signed action request to the communications/control module; andwherein the communications/control module is in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive sensor information or send control information to an actuator, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to:receive the signed action request from the action authenticator and verify the authenticity of the signed action request, wherein verifying the authenticity of the signed action request further comprises:receiving a request datagram from the action authenticator, the request datagram including a first nonce a first device authentication key certificate, and a first identity attribute certificate;validating the request datagram by verifying the first device authentication key certificate and the first identity attribute certificate;sending a response datagram to the action authenticator when the request datagram is valid, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate, and a second identity attribute certificate;receiving an authentication datagram from the action authenticator, the authentication datagram including a second signature associated with the first and second nonces; andvalidating the authentication datagram by verifying the second signature associated with the first and second nonces; andperform the requested action when the authenticity of the signed action request is verified, wherein the action request includes one or more operator control actions from the action originator for monitoring and/or controlling sensor and/or actuator instrumentation.
- The industrial control system of claim 1, wherein the action originator comprises at least one of: an operator interface; an engineering interface; a local application interface; or a remote application interface.
- The secure industrial control system of claim 1 or claim 2, wherein the action authenticator comprises a portable encryption device, preferably comprising a smart card, that includes the at least one processor, preferably an encrypted microprocessor, in communication with the storage medium having the private key stored thereon.
- The secure industrial control system of any of claims 1 to 3, wherein the action authenticator comprises a secured workstation; preferably wherein the secured workstation is accessible via at least one of: a physical key; a portable encryption device; or a biometric cryptography device.
- The secure industrial control system of any of claims 1 to 4, wherein the action authenticator is further configured to encrypt the action request prior to sending the signed action request to the communication/control module.
- The secure industrial control system of any of claims 1 to 5, wherein the communications/control module incudes:
a virtual key switch that enables the processor to run the action request when the authenticity of the signed action request is verified. - The secure industrial control system of any of claims 1 to 6, wherein the communications/control module and the action authenticator are further configured to perform an authentication sequence.
- The secure industrial control system of any one of claims 1 to 7, wherein the one or more industrial elements further include at least one of: a communications/control module; a power module; a field device; a switch; a workstation; or a physical interconnect device.
- A communications/control module configured to be at least partially operated according to action requests from an action originator, comprising:at least one processor; anda non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to:receive an action request initiated at an action originator and signed by an action authenticator;verify the authenticity of the signed action request;wherein verifying the authenticity of the signed action request further comprises:receiving a request datagram from the action authenticator, the request datagram including a first nonce a first device authentication key certificate, and a first identity attribute certificate;validating the request datagram by verifying the first device authentication key certificate and the first identity attribute certificate;sending a response datagram to the action authenticator when the request datagram is valid, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate, and a second identity attribute certificate;receiving an authentication datagram from the action authenticator, the authentication datagram including a second signature associated with the first and second nonces; andvalidating the authentication datagram by verifying the second signature associated with the first and second nonces; andperform the requested action when the authenticity of the signed action request is verified, wherein the action request includes one or more operator control actions from the action originator, and wherein the action originator includes at least one of: an operator interface, an engineering interface, a local application interface, and a remote application interface.
- The communications/control module of claim 9, further comprising:
a virtual key switch that enables the processor to run the action request when the authenticity of the signed action request is verified. - The communications/control module of claim 9 or claim 10, wherein the set of instructions further includes instructions to decrypt the signed action request; and/or wherein the instructions to perform the requested action when the authenticity of the signed action request is verified include:
instructions to control a communicatively coupled industrial element including at least one of: a communications/control module; an input/output module; a power module; a field device; a switch; a workstation; or a physical interconnect device. - A method of executing a requested action in a secure industrial control system, comprising:signing an action request from an action originator with an action authenticator, the action authenticator remotely located from the action originator and including a storage medium with a private key stored thereon and a processor configured to sign an action request from the action originator with the private key;receiving the signed action request at a communications/control module configured to be at least partially operated according to action requests from the action originator, the communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive sensor information or send control information to an actuator, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor for controlling communications with the one or more industrial elements;verifying the authenticity of the signed action request, wherein verifying the authenticity of the signed action request further comprisesreceiving a request datagram from the action authenticator, the request datagram including a first nonce a first device authentication key certificate, and a first identity attribute certificate;validating the request datagram by verifying the first device authentication key certificate and the first identity attribute certificate;sending a response datagram to the action authenticator when the request datagram is valid, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate, and a second identity attribute certificate;receiving an authentication datagram from the action authenticator 204, the authentication datagram including a second signature associated with the first and second nonces; andvalidating the authentication datagram by verifying the second signature associated with the first and second nonces; andexecuting the requested action via the communications/control module only when the authenticity of the signed action request is verified, wherein the action request includes commands from the action originator for monitoring and/or controlling sensor and/or actuator instrumentation; the method preferably further comprising:encrypting the action request with the action authenticator; anddecrypting the action request with the communications/control module.
- The method of claim 12, wherein the action authenticator comprises at least one of: a portable encryption device, preferably as defined in claim 3; a secured workstation, preferably as defined in claim 4; or a device lifecycle management system.
- The method of claim 12 or claim 13, wherein executing the requested action further includes:
controlling an industrial element according to the action request, the industrial element including at least one of: a communications/control module; an input/output module; a power module; a field device; a switch; a workstation; or a physical interconnect device. - The secure industrial control system of any of claims 1 to 8 or the method of any of claims 12 to 14, wherein the communications/control module and the at least one input/output module are configured to receive respective first and second unique security credentials at respective points of manufacture from a key management entity, the first and second unique security credentials being stored in respective memories of the communications/control module and the at least one input/output module, wherein at least one of the first and second unique security credentials is revokable by the key management entity remotely via communicative coupling with the communications/control module or the at least one input/output module.
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462021438P | 2014-07-07 | 2014-07-07 | |
US14/446,412 US10834820B2 (en) | 2013-08-06 | 2014-07-30 | Industrial control system cable |
US14/469,931 US9191203B2 (en) | 2013-08-06 | 2014-08-27 | Secure industrial control system |
US14/519,066 US10834094B2 (en) | 2013-08-06 | 2014-10-20 | Operator action authentication in an industrial control system |
EP14196409.8A EP2966520B1 (en) | 2014-07-07 | 2014-12-04 | Operator action authentication in an industrial control system |
Related Parent Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP14196409.8A Division EP2966520B1 (en) | 2014-07-07 | 2014-12-04 | Operator action authentication in an industrial control system |
EP14196409.8A Division-Into EP2966520B1 (en) | 2014-07-07 | 2014-12-04 | Operator action authentication in an industrial control system |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3823425A1 true EP3823425A1 (en) | 2021-05-19 |
EP3823425B1 EP3823425B1 (en) | 2024-02-28 |
Family
ID=52737562
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP14196409.8A Active EP2966520B1 (en) | 2014-07-07 | 2014-12-04 | Operator action authentication in an industrial control system |
EP20201408.0A Active EP3823425B1 (en) | 2014-07-07 | 2014-12-04 | Operator action authentication in an industrial control system |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP14196409.8A Active EP2966520B1 (en) | 2014-07-07 | 2014-12-04 | Operator action authentication in an industrial control system |
Country Status (4)
Country | Link |
---|---|
EP (2) | EP2966520B1 (en) |
JP (2) | JP2016019281A (en) |
CN (2) | CN105278398B (en) |
CA (1) | CA2875515A1 (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10764063B2 (en) * | 2016-04-13 | 2020-09-01 | Rockwell Automation Technologies, Inc. | Device specific cryptographic content protection |
EP3264208B1 (en) * | 2016-06-30 | 2021-01-06 | Siemens Aktiengesellschaft | Method for updating process objects in an engineering system |
DE102016118613A1 (en) | 2016-09-30 | 2018-04-05 | Endress+Hauser Process Solutions Ag | System and method for determining or monitoring a process variable in a plant of automation technology |
US20180129191A1 (en) * | 2016-11-04 | 2018-05-10 | Rockwell Automation Technologies, Inc. | Industrial automation system machine analytics for a connected enterprise |
EP3460598A1 (en) * | 2017-09-22 | 2019-03-27 | Siemens Aktiengesellschaft | Programmable controller |
EP3716566B1 (en) * | 2019-03-27 | 2023-06-07 | Barclays Execution Services Limited | System and method for providing secure data access |
US12007740B2 (en) | 2019-12-31 | 2024-06-11 | Schneider Electric Systems Usa, Inc. | Secure network of safety PLCs for industrial plants |
CN111865908B (en) * | 2020-06-08 | 2022-05-17 | 杭州电子科技大学 | Resource-constrained system secure communication method based on random encryption strategy |
CN114658553A (en) * | 2022-05-25 | 2022-06-24 | 广东西电动力科技股份有限公司 | Diesel generating set based on SCADA system control |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050144437A1 (en) * | 1994-12-30 | 2005-06-30 | Ransom Douglas S. | System and method for assigning an identity to an intelligent electronic device |
US20050229004A1 (en) * | 2004-03-31 | 2005-10-13 | Callaghan David M | Digital rights management system and method |
US20140068712A1 (en) * | 2012-09-06 | 2014-03-06 | Waterfall Security Solutions Ltd. | Remote control of secure installations |
Family Cites Families (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4113328B2 (en) * | 1999-12-28 | 2008-07-09 | 松下電器産業株式会社 | Information storage medium, non-contact IC tag, and access method |
JP2001292176A (en) * | 2000-04-10 | 2001-10-19 | Fuji Electric Co Ltd | Gateway device and method for integrating control/ information network |
US20020091931A1 (en) * | 2001-01-05 | 2002-07-11 | Quick Roy Franklin | Local authentication in a communication system |
FR2834403B1 (en) * | 2001-12-27 | 2004-02-06 | France Telecom | CRYPTOGRAPHIC GROUP SIGNATURE SYSTEM |
KR100559958B1 (en) * | 2002-12-10 | 2006-03-13 | 에스케이 텔레콤주식회사 | System and Method for Intermediate of Authentication Tool Between Mobile Communication Terminal |
CN100393034C (en) * | 2004-04-30 | 2008-06-04 | 北京航空航天大学 | A source authentication method applied in multicast communication system |
KR20080007564A (en) * | 2005-04-21 | 2008-01-22 | 프랑스 뗄레꽁(소시에떼 아노님) | Method and device for accessing a sim card housed in a mobile terminal |
CN101005359B (en) * | 2006-01-18 | 2010-12-08 | 华为技术有限公司 | Method and device for realizing safety communication between terminal devices |
JP4909626B2 (en) * | 2006-04-27 | 2012-04-04 | 株式会社Kddi研究所 | Attribute authentication system, attribute information anonymization method and program in the same system |
DE112006003953T5 (en) * | 2006-07-11 | 2009-08-20 | Abb Research Ltd. | A life cycle management system for intelligent electronic devices |
US8213902B2 (en) * | 2007-08-02 | 2012-07-03 | Red Hat, Inc. | Smart card accessible over a personal area network |
ATE495499T1 (en) * | 2007-08-15 | 2011-01-15 | Nxp Bv | 12C BUS INTERFACE WITH PARALLEL OPERATION MODE |
JP4858360B2 (en) * | 2007-08-29 | 2012-01-18 | 三菱電機株式会社 | Information provision device |
US8327130B2 (en) * | 2007-09-25 | 2012-12-04 | Rockwell Automation Technologies, Inc. | Unique identification of entities of an industrial control system |
US8001381B2 (en) * | 2008-02-26 | 2011-08-16 | Motorola Solutions, Inc. | Method and system for mutual authentication of nodes in a wireless communication network |
JP5329184B2 (en) * | 2008-11-12 | 2013-10-30 | 株式会社日立製作所 | Public key certificate verification method and verification server |
US20110154501A1 (en) * | 2009-12-23 | 2011-06-23 | Banginwar Rajesh P | Hardware attestation techniques |
AU2011205391B2 (en) * | 2010-01-12 | 2014-11-20 | Visa International Service Association | Anytime validation for verification tokens |
KR101133262B1 (en) * | 2010-04-08 | 2012-04-05 | 충남대학교산학협력단 | A hybrid key management method for robust SCADA systems and the session key generating method thereof |
CN102546707A (en) * | 2010-12-27 | 2012-07-04 | 上海杉达学院 | Client information management method and management system |
JP5762182B2 (en) * | 2011-07-11 | 2015-08-12 | 三菱電機株式会社 | Power management system, energy management device, information management device, control device |
CN103348623B (en) * | 2011-08-26 | 2016-06-29 | 松下电器产业株式会社 | Termination, checking device, key distribution device, content reproducing method and cryptographic key distribution method |
KR101543711B1 (en) * | 2011-10-11 | 2015-08-12 | 한국전자통신연구원 | Lightweight Group Signature System and Schemes with Short Signatures |
US8973124B2 (en) * | 2012-04-30 | 2015-03-03 | General Electric Company | Systems and methods for secure operation of an industrial controller |
US20140075186A1 (en) * | 2012-09-13 | 2014-03-13 | Texas Instruments Incorporated | Multiple Access Key Fob |
JP6013988B2 (en) * | 2013-07-18 | 2016-10-25 | 日本電信電話株式会社 | Data collection system, data collection method, gateway device, and data aggregation program |
CN103701919A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Remote login method and system |
-
2014
- 2014-12-02 JP JP2014243830A patent/JP2016019281A/en active Pending
- 2014-12-04 EP EP14196409.8A patent/EP2966520B1/en active Active
- 2014-12-04 EP EP20201408.0A patent/EP3823425B1/en active Active
- 2014-12-19 CN CN201410799473.2A patent/CN105278398B/en active Active
- 2014-12-19 CA CA2875515A patent/CA2875515A1/en not_active Abandoned
- 2014-12-19 CN CN201910660260.4A patent/CN110376990B/en active Active
-
2021
- 2021-09-30 JP JP2021160356A patent/JP2022008660A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050144437A1 (en) * | 1994-12-30 | 2005-06-30 | Ransom Douglas S. | System and method for assigning an identity to an intelligent electronic device |
US20050229004A1 (en) * | 2004-03-31 | 2005-10-13 | Callaghan David M | Digital rights management system and method |
US20140068712A1 (en) * | 2012-09-06 | 2014-03-06 | Waterfall Security Solutions Ltd. | Remote control of secure installations |
Also Published As
Publication number | Publication date |
---|---|
EP2966520A2 (en) | 2016-01-13 |
JP2016019281A (en) | 2016-02-01 |
CN110376990B (en) | 2022-07-15 |
CA2875515A1 (en) | 2015-03-24 |
EP3823425B1 (en) | 2024-02-28 |
EP2966520A3 (en) | 2016-06-29 |
CN105278398B (en) | 2019-08-16 |
EP2966520B1 (en) | 2020-11-25 |
CN105278398A (en) | 2016-01-27 |
JP2022008660A (en) | 2022-01-13 |
CN110376990A (en) | 2019-10-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11722495B2 (en) | Operator action authentication in an industrial control system | |
US11977622B2 (en) | Authentication between industrial elements in an industrial control system | |
US12032675B2 (en) | Secure industrial control system | |
US11899604B2 (en) | Input/output module with multi-channel switching capability | |
EP2966806B1 (en) | Authentication of redundant communications/control modules in an industrial control system | |
EP3054385B1 (en) | Input/output module with multi-channel switching capability | |
US11144630B2 (en) | Image capture devices for a secure industrial control system | |
EP3823425B1 (en) | Operator action authentication in an industrial control system | |
EP3337201A2 (en) | Image capture devices for a secure industrial control system | |
CA2920133C (en) | Input/output module with multi-channel switching capability |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AC | Divisional application: reference to earlier application |
Ref document number: 2966520 Country of ref document: EP Kind code of ref document: P |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20211119 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602014089610 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: H05K0007140000 Ipc: G06F0021330000 Ref country code: DE Ref legal event code: R079 Free format text: PREVIOUS MAIN CLASS: H05K0007140000 Ipc: G06F0021330000 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/40 20220101ALI20230328BHEP Ipc: H04L 9/32 20060101ALI20230328BHEP Ipc: G06F 21/62 20130101ALI20230328BHEP Ipc: G06F 21/60 20130101ALI20230328BHEP Ipc: G06F 21/44 20130101ALI20230328BHEP Ipc: G06F 21/33 20130101AFI20230328BHEP |
|
INTG | Intention to grant announced |
Effective date: 20230419 |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: GALPIN, SAMUEL Inventor name: CLISH, TIMOTHY Inventor name: CALVIN, JAMES G. Inventor name: ROOYAKKERS, ALBERT |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230521 |
|
GRAJ | Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted |
Free format text: ORIGINAL CODE: EPIDOSDIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTC | Intention to grant announced (deleted) | ||
INTG | Intention to grant announced |
Effective date: 20230921 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AC | Divisional application: reference to earlier application |
Ref document number: 2966520 Country of ref document: EP Kind code of ref document: P |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602014089610 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG9D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240628 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240529 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240528 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240528 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240528 Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240628 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240529 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240628 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1661885 Country of ref document: AT Kind code of ref document: T Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240628 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20240228 |